DLS range query is failing: permission filters are not allowed to use the current timestamp

stack-security

(Nanda Koothrappahli) #1

I try to use the following query as a DLS (Document level security) query:

"range": {
  "@timestamp": {
    "gt": "now-1d"
  }
}

This is failing with the error message: "permission filters are not allowed to use the current timestamp" . Why is this not possible and how to solve it?

I did not found anything in the documentation about this. Docs just saing: "The specified query expects the same format as if it was defined in the search request and supports the full Elasticsearch Query DSL"


(Yogesh Gaikwad) #2

Hi @nkoothrappahli,

I think this has more to do with how DLS is implemented internally.
The document cache is built per-segment, and now would keep changing all the time, requiring us to do cache invalidation for each query. This would not be performant.

There might be another way to solve your problem, but not knowing enough details its hard to suggest anything. Please share some details on the problem that you are trying to solve and we can come up with some solution.

Hope this helps.

Thanks and Regards,
Yogesh Gaikwad